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DECLARATION UNDER $7 C.F.R. J 1,132 

I, Daniel Catrern. hereby state that 

1, I am an expert in the field of information security, 

2, 1 am a Senior Research Engineer at Ericsson in Aachen, Germany, 

3, I was in 2007 with the German Fedora! Office for Information Security 
(BS!) in Bonn, Germany, I held an engineering position at the department for the 
development of c 



Amendment - PAGE 1 of 4 



Attorney Docket No. P16731-US1 
' Customer Numbar 27045 

4. [ received my Ph.D. in Communications Engineering from Rhelnisch- 
Westfalische Teehnische Hochschule Aachen University in 2007, 

5. While attending Rheimsch-Westfaiische Teehnische Hochschule Aachen 
University, ! hold the position of Researcher at the Institute for Theoretical information 
Technology (2004-200?) and the institute of Steohastics (2001-2004). 

6. My experience as a Sensor Research Engineer at Ericsson, as an 
Engineer at the 8SI and as a Researcher at Rheirtfsch-Westfalische Teehnische 
Hochschule Aachen University forms the basis for my opinion. 

?, Examiner Chai asserted that ,! {a) any transformed random number / public 
key that can uniquely identify a user is qualified as part of a 'principle identifier* of the 
user and (fo) the user information (e.g., user public key, user random number and etc) 
included in the access request query package / message is qualified as a principle." 
This assertion by Examiner Chai would oniy hold true if data providing entity has means 
to relate the data provided in the query package to the corresponding user, which Is not 
the case for Eppsiein, as detailed in the following. 

Subject of Eppsiein is to provide to a user access to data from an information 
provider such that the user stays anonymous to the information provider. 
PI 8731 oblecf is to provide to a data requesting entity access to data that is related to a 
principal identifier. By providing the principal identifier to the data providing entity, the 
principal is known to the data providing entity In so far as the "principal identifier 
represents the principal towards the data providing entity". 

9. According to Eppstein, the user makes a query Q with Q-relevanf medical 
information of the user (e.g. symptoms, medical images, blood test results, history) in 
;h ted T ^e< 

information provider receiving the query Q formulates a response R. Hence Q is related 
to R at the information provider. Thus, information at the Information provider of 
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Eppstein has no relation to any user identity. In fact, information is not related to any 
particular user but to a query Q from which everything from which the user could be 
identified from has been redacted. 

Further, according to Eppstein, for a formulated query, the public key of the user 
and the private key of the user are generated at the user equipment 12 "for the sole use 
of said formulated query" (see description and claim 1). The query contains the freshly 
generated public key of the user. No information at the Information provided Is related to 
this public key of the user In advance as the public key of the user is freshly generated 
for the sole purpose of this query. Furthermore, the public key is solely used for 
encrypting the response. To summarize, the public key of the user according to 
Eppstein cannot be used for identification purposes at all and is not used therefore! 
Mote that the same holds true for the generated random number. 

In PI 8731, the data Is related to the principal Identifier. Access to data that Is 
related to a particular principal identifier Is provided within the limits of the access 
specification for this particular principal identifier In the access granting ticket. Further, 
the principal Identifier represents the principal towards the data providing entity, i,e, the 
data providing entity knows when receiving and processing an access granting ticket 
comprising a principal identifier the principal as represented by this principal identifier. 

10. Further, I want to point out that the flow of information and the roles of 
involved entities differ between Eppstein and PT8731, 

In Eppstein, the query is sent from the user equipment 12 to the public terminal 
14 and from there to the Information provider 18 which then posts the requested 
information to the public bulletin board 20 from which the user can access this 
information either from the public terminal 14 or from user equipment 12, in short 

A) 12->14->18->20->14or 

B) 12->14->18->2G->12 
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In P16731, the access granting ticket is sent from the principal entity (PE) to the 
data requesting entity (IRE) to the data providing entity (IFE) which provides access to 
the data according to the contents of the access granting ticket to tie data requesting 
entity (IRE), in short 

C) PE~>IRE->IPE->IRE 

Comparing 8) with C), it is evident that no access to the information Is provided 
to the public terminal 14, i.e. the public terminal 14 does not qualify for a data 
requesting entity to which access to the data is provided. 

Comparing A) with C), the information Is provided to the public terminal 14, 
however, the information is still encrypted and the public terminal 14 cannot access the 
information. Hence, also here the public terminal 14 does not qualify for a data 
requesting entity to which access to the data is provided , 

11. I hereby declare that all statements made herein of my own knowledge 
are true, and that all statements made on information and belief are believed to be true; 
and further, that these statements are made with the knowledge that willful false 
statements, and the like so made, are punishable by fine or imprisonment, or both, 
under Section 1001, Title 18 of the United States Code, and that such willful false 
statements may jeopardize the validity of the application or any patent Issuing thereon. 

Date if . 

v " Daniel Cairein 
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